Dejan Kosutic If you are working as an ISO 27001 consultant or practitioner, you are probably heavily dependent on the ISO27k series of standards. Since there are quite a lot of them (see the list here), it is a good idea to keep any eye on the upcoming changes.
As I mentioned in an article on what to expect in 2013, the main standards in this series (ISO 27001 and ISO 27002) were revised last year, and here are the changes expected in 2014:
ISO/IEC 27000 – This standard gives an overview of information security management, as well as the vocabulary (explanation of main terms) for information security. A new revision was already published earlier in January 2014.
ISO/IEC 27004 – This is the standard that defines how to measure information security. The current (2009) version is being revised, and the new revision is expected to be published, if not in 2014, then in the first half of 2015.
ISO/IEC 27005 – This standard describes information security risk management – since this area has changed a bit in the new ISO27001:2013, ISO 27005 will be changed as well – if not in 2014, then certainly in 2015.
ISO/IEC 27011 is the standard that provides guidelines for information security management in telecoms – since it relies heavily on ISO 27002, it will be revised probably in 2014 due to the many changes brought about by ISO 27002:2013.
ISO/IEC TR 27016 is the standard that defines organizational economics for information security management. The standard will enter the FDIS phase at the beginning of 2014, so it is realistic to expect the final version to be published in 2014.
ISO/IEC 27018 is the standard that will provide the code of practice for data protection controls for public cloud computing services, and it depends heavily on ISO 27002. It has entered the DIS stage at the beginning of 2014, so the final version might be published by the end of the year.
ISO/IEC 27033-4 is the standard that speaks about network security – on how to secure communications between networks using security gateways. It is expected to be published in the second half of 2014.
ISO/IEC 27036-1 is the standard that gives an overview and explains the concepts related to information security and supplier relationships. It will be published in the first quarter of 2014.
ISO/IEC 27036-2 is the main standard that describes the requirements related to information security for supplier relationships. At the beginning of 2014 it was in the FDIS stage, so it is realistic to assume that the final version will be published by the end of 2014.
ISO/IEC 27038 is the standard that gives specifications for digital redaction – redaction here is the term for the process of denying file recipients knowledge of certain sensitive data within the original files. This standard will also be published by the end of 2014.
ISO/IEC 27039 is the standard that describes selection, deployment and operations of intrusion detection systems (IDPS) – it was in the DIS stage at the beginning of 2014, so it will hopefully be published by the end of 2014.
ISO/IEC 27043 is another standard that deals with incidents, or to be more precise – with incident investigation principles and processes. Similar to a couple of other standards, it is in the DIS stage, so hopefully it will be published by the end of 2014 (or the beginning of 2015).
If you’re in this business, you’ll have a lot to read!
To learn about the requirements of the standard, check out this free white paper Clause-by-clause explanation of ISO 27001.
Rhand Leal